How to tell if VLAN is not NAT’d

Home Page Forums Network Management Networking How to tell if VLAN is not NAT’d

This topic contains 24 replies, has 0 voices, and was last updated by  wifiguy 9 years, 3 months ago.

Viewing 15 posts - 1 through 15 (of 26 total)
  • Author
    Posts
  • #42209

    wifiguy
    Member

    Hello all,

    Right now I am sitting in a test environment. I have the WAN port on the ZS server statically assigned. We have a direct allocation from ARIN (American Registry for Internet Numbers), it’s a /22 and it’s our VLAN74.

    Right now VLAN20, 30 and 70 are private VLANs and are NAT’d. I used the following IPtables to NAT them.

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

    VLAN74 should not be NAT’d, and from the above IP tables that should correct. However, when I put myself on VLAN74 I can gain access to the outside world. In the test environment that I am in right now, there is no route set up for this VLAN, so if this VLAN isn’t being NAT’d, I should not be able to get to the outside world. Once this server is taken from our test lab and put into a production scenario, there will be routing on VLAN74 and outside access will be acheived.

    But as it stands in the test environment that I am in, VLAN74 should not be able to get to get outside. This leads me to believe VLAN74 is also being NAT’d.

    Is there a way to check this out on the server? From what I am seeing we are not doing anything that would make the server want to NAT’d vlan74.

    Thoughts?

    #49641

    ppalias
    Member

    1) Make sure eth1 is the wan interface.
    2) Print here the output of

    iptables -t nat -L -v
    #49642

    wifiguy
    Member

    @ppalias wrote:

    1) Make sure eth1 is the wan interface.
    2) Print here the output of

    iptables -t nat -L -v

    Does Eth1 have to be the WAN port? Can it be Eth0?

    #49643

    Marcelo
    Member

    It can be ETH00. I actually use ETH00 as the WAN and ETH01 as LAN.

    You just have to be careful as 99% of the examples shown here are the opposite, so you’ll have to remember that…

    Regads,

    #49644

    wifiguy
    Member

    I’ll run the above command from the server when I get back to the office on Monday.

    Thanks all,

    #49645

    wifiguy
    Member

    Alright, here is the output from the iptables -t nat -L -v command.

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 9173 packets, 1528K bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 40 packets, 3240 bytes)
    pkts bytes target prot opt in out source destination
    4134 311K SNATVS all — any any anywhere anywhere
    4098 308K MASQUERADE all — any ETH00 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 3949 packets, 300K bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    *****Edit*****
    Here are our pre-boot iptable commands. Just so you have them also. The below commands should not include vlan74 to be NAT’d correct?

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

    #49646

    ppalias
    Member

    There is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.

    #49647

    wifiguy
    Member

    @ppalias wrote:

    There is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.

    I guess I am confused on how to make ZS view my ETH00 as the wan port, and make ETH01, ETH01.20, ETH01.30 and ETH01.70 NAT’d behind ETH00, and how to make ETH01.74 and ETH01.90 not NAT’d……

    How should my Router>NAT page look like? I have had ETH00 in the “NAT Enabled Interfaces”, that’s when everything appears to be NAT’d and I have had ETH01, ETH01.20, ETH01.30 and ETH01.70 in there leaving ETH00 out….

    Not sure what I am doing wrong.

    #49648

    ppalias
    Member

    First of all which one is the WAN interface…

    #49649

    wifiguy
    Member

    @ppalias wrote:

    First of all which one is the WAN interface…

    ETH00

    #49650

    ppalias
    Member

    Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.


    iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE
    #49651

    wifiguy
    Member

    @ppalias wrote:

    Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.


    iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE

    Ok. So I have tried this several ways.

    Way 1:
    Eth01, eth01.20, eth01.30 and eth01.70 in the NAT Enabled Interfaces with the following IP TAbles.

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

    The iptables -t nat -L -v result is:

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 22 packets, 2606 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 38 packets, 2966 bytes)
    pkts bytes target prot opt in out source destination
    37 3430 SNATVS all — any any anywhere anywhere
    3 704 MASQUERADE all — any ETH01 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.20 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.30 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.70 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 41 packets, 3670 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    I also tried it with no interfaces in the Nat Enabled Interface using the following IP Tables:

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE

    The output iptables -t nat -L -v result

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 194 packets, 16902 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 243 packets, 18350 bytes)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all — any eth1.70 152.93.0.0/16 anywhere
    0 0 MASQUERADE all — any eth1.30 192.168.1.0/24 anywhere
    0 0 MASQUERADE all — any eth1.20 172.30.0.0/16 anywhere
    0 0 MASQUERADE all — any ETH00 172.30.0.0/16 anywhere
    0 0 MASQUERADE all — any ETH00 192.168.1.0/24 anywhere
    0 0 MASQUERADE all — any ETH00 152.93.0.0/16 anywhere
    239 18110 SNATVS all — any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 70 packets, 5525 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    eitherway, it appears as though it’s not NAT’ing anything. I can’t get out from behind interfaces eth01.20, 30, or 70 that are supposed to be NAT’d.

    Thoughts?

    #49652

    ppalias
    Member

    There seems to be something wrong with the interfaces you are using, as the iptables command is correct.

    -t nat = apply this command in “nat” table.
    -I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
    –src x.x.x.x/yy = the source IP is x.x.x.x/yy
    -o ETH00 = the output interface is “ETH00”
    -j MASQUERADE = masquerade the source IP with the IP of the interface ETH00

    #49653

    wifiguy
    Member

    @ppalias wrote:

    There seems to be something wrong with the interfaces you are using, as the iptables command is correct.

    -t nat = apply this command in “nat” table.
    -I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
    –src x.x.x.x/yy = the source IP is x.x.x.x/yy
    -o ETH00 = the output interface is “ETH00”
    -j MASQUERADE = masquerade the source IP with the IP of the interface ETH00

    How so? What would be wrong with the interfaces?

    #49654

    wifiguy
    Member

    I am stumped…..We use this same config (minus the WAN IP) on a production router that we have, and all works well.

    Anyway you would be willing to take a peek at our config file?

Viewing 15 posts - 1 through 15 (of 26 total)

You must be logged in to reply to this topic.